The theft of private data on 143 million Americans made the Equifax cyberattack one of the biggest in history. The company’s handling of the breach came under intense scrutiny, resulting in the resignation of CEO Richard Smith in September 2017 amid the turmoil. He wasn’t the first or the last casualty. A Gartner analysis of security breaches reported in news media over a five-year period shows that CEOs are increasingly blamed and punished as a result of cybersecurity-related events — even more so than IT executives. The consequences include dismissal, resignation or loss of significant compensation.
“ Accountability should mean that a decision to accept risk is defensible to key stakeholders”
CIOs and CISOs concerned with IT risk must help CEOs achieve greater defensibility with key stakeholders such as customers, board members, regulators and shareholders, says Paul Proctor, Distinguished VP Analyst at Gartner. “This isn’t about a scare campaign or a wake-up call for executives and the board,” says Proctor. “This is a real opportunity for CIOs and CISOs to rethink how they engage senior non-IT executives to prioritize and fund security.”
How to create defensibility
Gartner has identified eight reasons why more CEOs will be fired over cybersecurity breaches. Addressing them will make your security program more defensible — not against “bad guys” but with key stakeholders, so they are satisfied with the organization’s security approach.
1. Invisible systemic risk
Businesses make decisions every day that negatively impact their security readiness — for example, refusing to shut down a server for proper patching, or choosing to keep working on old hardware and software to save budget. CIOs need to be sure that invisible systemic risk is recognized, reported and discussed in governance processes.
2. Cultural disconnect
While organizations have understood for more than a decade that security is a business problem, they continue to struggle with approaching it as one. Its treatment remains largely a technical problem, handled by technical people and buried in IT, even though it has been presented in the boardroom at least annually for years.
3. Throwing money at the problem
You can’t buy your way out — you still won’t be perfectly protected. Avoid negatively impacting business outcomes by raising ongoing operational costs and potentially damaging the ability of the organization to function.
4. Your security officer is the defender of your organization
Security staff are hired because they’re experts and their job is to protect the organization. This silos the issue, placing people in charge of protecting business outcomes they don’t understand.
5. Broken accountability
Accountability should mean that a decision to accept risk is defensible to key stakeholders. If accountability means that someone will get fired if something goes wrong, no one will engage. Read more: Link Cybersecurity to Business Outcomes
6. Poorly formed risk appetite statements
Organizations create generic high-level statements about their risk appetite that don’t support good decision making. Avoid promising to only engage in low-risk activities. This is counter to good business and creates another good reason to fire you if you engage in risky activities.
7. Social pressure
Blaming an organization for getting hacked is like blaming a bank for getting robbed. The difference is that the banks are defensible — most organizations aren’t. When a headline-grabbing security incident happens, society just wants heads to roll. While this isn’t fair, it’s the result of decades of treating security as a black box. Society is not going to change until organizations and IT departments start treating and talking about security differently.
8. Lack of transparency
Gartner has witnessed countless interactions with organizations that have boards and executives who do not want to hear or acknowledge that security is not perfect. Some board presentations are filled with good news about the tremendous progress that has been made in improving security, with little or no discussion about where gaps and opportunities for improvement exist. “IT and non-IT executives alike must be willing to understand and talk about the realities and limitations of how security works, to tackle the challenges,” says Proctor.